Panorama Web Interface Access Privileges

The custom Panorama administrator roles allow you to define access to the options on Panorama and the ability to only allow access to Device Groups and Templates (
Policies
,
Objects
,
Network
,
Device
tabs).
The administrator roles you can create are
Panorama
and
Device Group and Template
. You can’t assign CLI access privileges to a
Device Group and Template
Admin Role profile. If you assign superuser privileges for the CLI to a
Panorama
Admin Role profile, administrators with that role can access all features regardless of the web interface privileges you assign.
Access Level
Description
Enable
Read Only
Disable
Dashboard
Controls access to the
Dashboard
tab. If you disable this privilege, the administrator will not see the tab and will not have access to any of the Dashboard widgets.
Yes
No
Yes
ACC
Controls access to the Application Command Center (ACC). If you disable this privilege, the
ACC
tab will not display in the web interface. Keep in mind that if you want to protect the privacy of your users while still providing access to the ACC, you can disable the
Privacy
Show Full IP Addresses
option and/or the
Show User Names In Logs And Reports
option.
Yes
No
Yes
Monitor
Controls access to the
Monitor
tab. If you disable this privilege, the administrator will not see the
Monitor
tab and will not have access to any of the logs, packet captures, session information, reports or to App Scope. For more granular control over what monitoring information the administrator can see, leave the Monitor option enabled and then enable or disable specific nodes on the tab as described in Provide Granular Access to the Monitor Tab.
Yes
No
Yes
Policies
Controls access to the
Policies
tab. If you disable this privilege, the administrator will not see the
Policies
tab and will not have access to any policy information. For more granular control over what policy information the administrator can see, for example to enable access to a specific type of policy or to enable read-only access to policy information, leave the
Policies
option enabled and then enable or disable specific nodes on the tab as described in Provide Granular Access to the Policy Tab.
Yes
No
Yes
Objects
Controls access to the
Objects
tab. If you disable this privilege, the administrator will not see the
Objects
tab and will not have access to any objects, security profiles, log forwarding profiles, decryption profiles, or schedules. For more granular control over what objects the administrator can see, leave the
Objects
option enabled and then enable or disable specific nodes on the tab as described in Provide Granular Access to the Objects Tab.
Yes
No
Yes
Network
Controls access to the
Network
tab. If you disable this privilege, the administrator will not see the
Network
tab and will not have access to any interface, zone, VLAN, virtual wire, virtual router, IPsec tunnel, DHCP, DNS Proxy, GlobalProtect, or QoS configuration information or to the network profiles. For more granular control over what objects the administrator can see, leave the
Network
option enabled and then enable or disable specific nodes on the tab as described in Provide Granular Access to the Network Tab.
Yes
No
Yes
Device
Controls access to the
Device
tab. If you disable this privilege, the administrator will not see the
Device
tab and will not have access to any firewall-wide configuration information, such as User-ID, High Availability, server profile or certificate configuration information. For more granular control over what objects the administrator can see, leave the
Device
option enabled and then enable or disable specific nodes on the tab as described in Provide Granular Access to the Device Tab.
You can’t enable access to the
Admin Roles
or
Administrators
nodes for a role-based administrator even if you enable full access to the
Device
tab.
Yes
No
Yes
Panorama
Controls access to the
Panorama
tab. If you disable this privilege, the administrator will not see the
Panorama
tab and will not have access to any Panorama-wide configuration information, such as Managed Devices, Managed Collectors, or Collector Groups.
For more granular control over what objects the administrator can see, leave the
Panorama
option enabled and then enable or disable specific nodes on the tab as described in Provide Granular Access to the Panorama Tab.
Yes
No
Yes
Privacy
Controls access to the privacy settings described in Define User Privacy Settings in the Admin Role Profile.
Yes
No
Yes
Validate
When disabled, an administrator cannot validate a configuration.
Yes
No
Yes
Save
Sets the default state (enabled or disabled) for all the save privileges described below (Partial Save and Save For Other Admins).
Yes
No
Yes
  • Partial Save
When disabled, an administrator cannot save changes that any administrator made to the Panorama configuration.
Yes
No
Yes
  • Save For Other Admins
When disabled, an administrator cannot save changes that other administrators made to the Panorama configuration.
Yes
No
Yes
Commit
Sets the default state (enabled or disabled) for all the commit, push, and revert privileges described below (Panorama, Device Groups, Templates, Force Template Values, Collector Groups, WildFire Appliance Clusters).
Yes
No
Yes
  • Panorama
When disabled, an administrator cannot commit or revert configuration changes that any administrators made, including his or her own changes.
Yes
No
Yes
  • Commit for Other Admins
When disabled, an administrator cannot commit or revert configuration changes that other administrators made.
Yes
No
Yes
Device Groups
When disabled, an administrator cannot push changes to device groups.
Yes
No
Yes
Templates
When disabled, an administrator cannot push changes to templates.
Yes
No
Yes
Force Template Values
This privilege controls access to the
Force Template Values
option in the Push Scope Selection dialog.
When disabled, an administrator cannot replace overridden settings in local firewall configurations with settings that Panorama pushes from a template.
If you push a configuration with
Force Template Values
enabled, all overridden values on the firewall are replaced with values from the template. Before you use this option, check for overridden values on the firewalls to ensure your commit does not result in any unexpected network outages or issues caused by replacing those overridden values.
Yes
No
Yes
Collector Groups
When disabled, an administrator cannot push changes to Collector Groups.
Yes
No
Yes
WildFire Appliance Clusters
When disabled, an administrator cannot push changes to WildFire appliance clusters.
Yes
No
Yes
Tasks
When disabled, an administrator cannot access the Task Manager.
Yes
No
Yes
Global
Controls access to the global settings (system alarms) described in Provide Granular Access to Global Settings.
Yes
No
Yes

Related Documentation